CISOs: A precarious life in an in-demand profession

‘Information security’ is the current buzzword amongst business. According to Lynwen Connick, former Department of Prime Minister and Cabinet Assistant Secretary for Information Sharing and Intelligence, and now the ANZ Bank Chief Information Security Officer (CISO), the real impact of cybercrime to Australia could be worth around $17 billion annually.

Tech giant Google’s recruitment drive of Australia-based hackers to supplement a shortage of information security specialists also points to a global urgency for businesses to make strategic internal changes to protect their information assets. Google isn’t just seeking alternative candidates, but has reinvented its own culture to accommodate a more radical approach to cyber security. This cultural shift flags the kind of organisational change other businesses can expect to make in order to integrate a security driven ‘no risk’ approach with a business need for competitive advantage, growth and expansion.

If information security is the buzzword, then CISO’s (Chief Information Security Officers) are seen as the panacea. Many organisations see the answer to their information security concerns as the appointment of a CISO into their technology area.

“Just recruiting a CISO into an existing technology division isn’t enough,” explains Suzanne Day, Managing Partner at Morgan Young, “Businesses need a CISO to take on a business role, to be able to demonstrate commercial acumen and to have a good understanding of the whole of the business, not just fulfil a back office technical function. It’s getting the balance right between risk and reward.”

To achieve better business focus some organizations are splitting roles that report to the CISO into separate teams with distinct mandates. This allows for some teams to continue the traditional reactive security functions and allows for more proactive teams to partner with the business and to build cyber security into future growth.

However, as the recent Google global recruitment drive indicates, qualified people to both lead and make up the cyber security teams are in short supply. Lynwyn Connick notes that [Australia] “…needs to be a cyber smart nation to take up more of the opportunities cyberspace offers and to respond to the growing cyber threat environment. We need to develop a workforce with the necessary cyber security skills to satisfy this demand.”

Until this happens, local organisations may need to consider recruiting talent from either outside of Australia, or from a different industry to secure people with the right skills and experience to step into roles in cyber security. The real talent shortages are in the mid-markets where organisations are particularly vulnerable to data breaches.

CBA and ANZ, two of Australia’s leading financial institutions, have looked outside of the local industry talent pool for their recent CISO appointments. Yuval Illuz took on the CISO role in the New Year and is a cyber security specialist from Israel. He doesn’t come from a financial services background. Similarly, ANZ has also looked outside of financial services with their recent appointment of Lynwyn Connick to the CISO role. Lynwyn comes from a public sector background.

Suzanne Day observed that both CBA and ANZ have employed this strategy to secure their recent CISO hires. “These two recent examples at our bigger banks, and Google’s alternative hiring drive, show the need for organisations to be open with their approach to looking for cyber expertise, not only in the executive roles, but across all levels.”

“Getting the right person in the CISO role, and then empowering them with a clear mandate and broad penetration across the business is crucial for ensuring that organisations are setting themselves up for success as they secure their information systems.”

Morgan Young is an Asia Pacific’ focused, privately held, retained Executive Search & Leadership Advisory firm. Established in 2007 the firm is a member of the Association of Executive Search Consultants (AESC), the worldwide professional body representing the retained executive search industry. AESC members are the highest quality firms worldwide. The firm has recently completed a number of information security focused mandates with leading companies in the region.